Researchers Flagged a WhatsApp Bug and Worked with the Company to Fix it

WhatsApp is one of the biggest messaging apps in the world. Its popularity comes from how easy it is to use. You only need someone’s phone number to find them on the platform. This simple system helped WhatsApp grow fast. But it also created a major security risk. A new report from Austrian researchers has revealed a shocking issue. They found that the phone numbers of all 3.5 billion WhatsApp users were easily accessible. Anyone could get them, including hackers or people with bad intentions. This discovery has raised serious concerns about user privacy.

WhatsApp Exposed Phone Numbers of 3.5 Billion Users, Researchers Reveal

The researchers were able to extract phone numbers from the platform without using any special hacking tools. They did not break into the system or bypass security. They simply used WhatsApp in the same way any normal user would. Moreover, they attempted to add billions of phone numbers to their contacts. WhatsApp then responded by showing whether those numbers were linked to WhatsApp accounts.

This process also revealed more than just phone numbers. For around 57% of users, the researchers could see their profile photos. For about 29%, they could also read the text on their profiles. This means a huge amount of personal information was exposed without users knowing it.

The researchers used WhatsApp Web, the browser version of the app, to perform this massive scan. Earlier this year, they were able to check around 100 million phone numbers per hour. This shows how quickly the data could be collected. What makes this worse is that Meta, the parent company of WhatsApp, had been warned about this problem years before.

According to reports, Meta was first informed of this issue in 2017. But no action was taken at that time. For years, this loophole stayed open. Anyone with the right tools could have collected millions of users’ details easily. The Austrian researchers finally notified Meta again in April this year. Only then did the company take serious steps.

By October, Meta added rate-limiting to WhatsApp. This prevents users from checking too many numbers in a short time. It also makes large-scale data extraction much harder. But critics say this fix came too late. The data was unprotected for many years, and it is impossible to know who might have taken advantage of the flaw during that time.

See Also: Meta Wins Major Antitrust Case Over Instagram and WhatsApp Acquisitions

Meta has responded to the situation. The company said the data that was visible was “basic publicly available information”. It also said that profile photos and status text were not shown for users who set their privacy to private. Meta claims it found no evidence that hackers or other malicious groups used this issue to steal data. It also stressed that researchers did not access any private or sensitive information.

Still, the incident highlights a major weakness in WhatsApp’s design. Phone numbers are deeply personal. They can be linked to identities, homes, and even financial accounts. This exposure shows why strong privacy protections are necessary, especially for apps used by billions.

Users are now advised to review their WhatsApp privacy settings and limit who can see their profile details. WhatsApp’s latest fix is a step forward, but the damage may already be done.

Update: Meta collaborated with the researchers to test and confirm the efficacy of new mitigations, and there was no data leak. The company also launched a bug bounty program to enhance app security.